SOME INFO that maked me surprised it was some insecurity level on RFC 5961 implemented on all lastest kernels (source:hackernews)
to block tcp attacks add this line on /etc/sysctl.conf
#net.ipv4.tcp_challenge_ack_limit = 999999999

I should read up on this, so far all I've done in terms of security is: sudo ufw enable.
Just out of interest if mint is aimed at the beginner who might never use the terminal why does the distro ship with the firewall turned off by default?

I will have to verify on my Mint 18.x xfce whether gufw is present there as well. Yet, I can assure you that on Linux Mint 18.1 64-bit Cinnamon, the graphical interface for the terminal command ufw, gufw, is present out of the box.
All you have to do in the Mint menu is enter the word "firewall" in the search box (without the double quotes); and you will be presented the launcher of "Firewall Configuration". The executable behind this launcher item is gufw.gufw permits you to enable the firewall software ufw without resorting to the terminal.
Once you have done so, you may start wondering whether a graphical application is always more friendly for new Linux Mint users than entering a really brief commandline like sudo ufw enable.

Here is one more brief commandline which will check the status of ufw: sudo ufw status verbose

I am not quite sure whether it is really wise to leave the firewall ufw disabled by default, at least not without telling the user that ufw exists, but has to be enabled in case it is needed.
Yet, the decision to install ufw, but leave it disabled by default is common to Ubuntu and Linux Mint.
I am sure we can have a very long and controversial discussion about it. No matter whether the result would be to enable ufw by default or to leave it disabled by default half of the users would be dissatisfied with the decision, I guess.

karlchen wrote:Once you have done so, you may start wondering whether a graphical application is always more friendly for new Linux Mint users than entering a really brief commandline like sudo ufw enable.

Yes, it is, because new users don't know that that is a thing that they can enter, while they may find the GUI for UFW by just looking around in the menu.

If your issue is solved, kindly indicate that by editing the first post in the topic, and adding [SOLVED] to the title. Thanks!

I agree that using the command line can be the simplest and fastest way of doing things which is why despite being a novice user I try to use it frequently because I don't want to be scared of it, however if you read YouTube comments and watch videos about Linux a lot of people will complain about how we are geeks married to the command line and Linux will never see significant market share until it's like a Mac where every last thing can be done in the gui. Finding gufw was interesting, I guess we're trying to move towards something like that.

Ufw being disabled by default due to a router firewall is interesting, did it detect that I have one or does it just assume everyone does these days? I expect I do have one because my router is relatively modern I think it's been less than a year since talk talk started using it but I don't know for sure. I understand that Linux is a lot more secure out of the box than windows as well so is the idea that you are secure enough without it and leaving it in by default might cause issues from using it as a server? I could understand leaving it disabled on a server distro but a home user distro? I dunno I'm sure they have their reasons but it's still a little strange to me

CaseyMarie wrote:Ufw being disabled by default due to a router firewall is interesting, did it detect that I have one or does it just assume everyone does these days?

Default settings are aimed at being reasonable for most people, not for all people....

By default the firewall isn't activated, because a) there might already be an active firewall in the router and b) behind the ports that are exposed to the internet, there aren't any listening services. At least not in a standard installation. An attacker can't do anything without a listening service that keeps a port open.

However, in certain cases you do need a firewall. For instance when you share an unprotected wireless network, or when you've activated some services on your computer. So in order to be on the safe side, I advise to turn on the firewall in all cases.

I expect I do have one because my router is relatively modern I think it's been less than a year since talk talk started using it but I don't know for sure.

Pjotr wrote:... By default the firewall isn't activated, because a) there might already be an active firewall in the router and b) behind the ports that are exposed to the internet, there aren't any listening services. At least not in a standard installation. An attacker can't do anything without a listening service that keeps a port open.

However, in certain cases you do need a firewall. For instance when you share an unprotected wireless network, or when you've activated some services on your computer. So in order to be on the safe side, I advise to turn on the firewall in all cases.....

100% true.

My netbook, which is what I use to schlep around , is what I've used to do some distro/DE hopping in the past. I'm ashamed to say that there were several times I forgot to enable the firewall after installing. I would never, ever have done that in WIndows. It'd be insane. Once I forgot for over a month.

And guess what? Despite the fact that it's what I use if I'm in a cafe hotspot, I never got hacked once.

ITS COMPLETELY A LIE that linux is 100% safe.
In many cases i was able to detect some hacking entering in my linux.
Today i realize THAT SAMBA someone can create net sharing folder without my administration sudo !!
yesterday someone created k350-PC net sharing folder in nautilus while im surfing... and today in another WIFI someone created another net sharing folder in nautilus! - I HATE SHARING TOOLS.
Linux security decreases a lot with RSYNC, SAMBA, BLUEZ, AVAHI-AUTOIPD and SSH already in a bundle.

And YES its true, linux lets you made your own config but at the same time if you dont spent time to study... you lost your privacy.

FIRST
i dont need to justify to you in a rude way
SECOND
i have been honest
THIRD
i already noticed that you, always answers in a same way.
Over a decade, etc - no one entered in my linux... Question: IS a copy paste?
NSA and Secret services have decrypt servers that blow your mind.